shoulder surfing, man in the middle attacks, pharming, XSS, autofill hijacking, and my favorite, finding out their password on another site and using it on the site in question - since most users use the same password more than once. :)

This'll be my 4th attempt posting on this thread. I like your style, rsnake. I remember emailing you months back about a "survey" I had made using MySpace users' passwords for email, IM, and other applications, and the overall success I had with it.